Search Results


Wednesday, January 27, 2016

SOA Web service security

A simple way of protecting web-services from unauthorized access is to use standard WS security. Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.

Oracle SOA suite 11g/12c provides an out of the box WS-Policies to protect web-services and to securely call a protected web service. In this article I'll show you how to do this.


How to protect a web-service with username and password


  • Open the composite.xml
  • Right Click on the exposed services and click Configure SOA WS policies..

  • Under Security click on the + button
  • Scroll down and select oracle/wss_username_token_service_policy and then OK

  • Now deploy and test. Very simple, isn't it?
  • For OSB, the same option is available on the proxy services.
  • To test this webservice WSSE header has to be passed with username and password
    • Please note that the username/password should be defined in the weblogic server. Refer the section below to learn how to create weblogic user.
Example webservice call:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:bpel="http://xmlns.oracle.com/TestMDSApplication/Project2/BPELProcess1">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>weblogic</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome1</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <bpel:process>
         <bpel:input>as</bpel:input>
      </bpel:process>
   </soapenv:Body>
</soapenv:Envelope>


How to call a protected web-service


Now that we protected the service from unauthorized access, how do we call it from another webservice?
  • Open the composite.xml
  • Right Click on the external reference and click Configure SOA WS policies..
  • Under Security click on the + button
  • Scroll down and select oracle/wss_username_token_client_policy and then OK
  • For OSB, same option is available on the business-services.
  • Username and password to be passed to the service should be configured as KEYS in EM console > security credentials section. Refer next section to learn how to do that
  • The configured key has to be entered in the csf-key property in the Reference tag in the composite.xml as highlighted below.
composite.xml
<reference name="asyncProc"
             ui:wsdlLocation="http://localhost:7101/soa-infra/services/testing/AsyncProcess!1.0/WSDLs/AsyncBPELProcess.wsdl">
    <interface.wsdl interface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcess)"/>
    <binding.ws port="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.endpoint(asyncbpelprocess_client_ep/AsyncBPELProcess_pt)"
                location="http://localhost:7101/soa-infra/services/testing/AsyncProcess/asyncbpelprocess_client_ep?WSDL"
                soapVersion="1.1">
      <property name="weblogic.wsee.wsat.transaction.flowOption" type="xs:string" many="false">WSDLDriven</property>
      <property name="csf-key" type="xs:string" many="false">TestKey</property>
    </binding.ws>
  </reference>


How to configure keys in Weblogic server


  • Log on to weblogic em console
  • Right click on Weblogic Domain > Default Domain
  • Click on Security > Credentials 
  • Create a new map (oracle.wsm.security)and create a key under oracle.wsm.security
    • I think the map name has to oracle.wsm.security




How to create an user in Weblogic server


This is a very simple configuration where there are no external identity stores are configured with weblogic server (like OID or MS Active directory)

  • Go to Weblogic Console home > Security Realms > myrealm
  • Click on Users and Groups tab
  • Click on New button and enter username/password details.


Post a Comment